Is the use of reCAPTCHA GDPR-compliant?
54 comments
·February 7, 2025ar0
ben_w
Good spot, the real [Deutsche] "Gesellschaft für Datenschutz" seems to be: https://www.gdd.de
tgsovlerkhgsel
With a non-compliant cookie banner to start with...
stavros
Wow, nice catch, I've flagged it.
doener
Oh thank you, I did not notice that.
sschueller
I would recommend friendlycaptcha[1] which you can also run locally (including the server).
rustc
> Based on proof-of-work mechanisms and advanced risk signals
> Friendly Captcha does not depend on tracking your users and exploiting personal data.
What "advanced risk signals" are these that do not involve tracking (or fingerprinting) users?
GoblinSlayer
Probably cloudflare's geoip-based range bans.
firtoz
It's not really clear how it'd prevent bots...
> The difficulty of the puzzle, and therefore the time and resources needed to solve it, is intelligently and automatically scaled based on sophisticated risk signals to protect against advanced bots. Friendly Captcha is completely invisible and require no manual user challenge at all.
So... magic?
Bancakes
What about hcaptcha? Wasn’t it supposed to be a less intrusive alternative?
gpvos
I get a wall of text with cookie approval/rejection buttons, but on mobile I can't even scroll to the top of the text to read it all. What a failure.
ta1243
Deliberate choice by the company trying to take your data. They don't have to do that, they want you to be pissed off with the wrong people.
ben_w
EDIT: ignore all this, as per other comment, this appears to be an unrelated company registered in a different country.
The real [Deutsche] "Gesellschaft für Datenschutz" seems to be: https://www.gdd.de
-
Before edit:
Given this is one of the organisations who help give governments draft laws by advising them, and whose purpose is to help its members obey those laws, that would be rather self-defeating.
And given the web design apparent on the following page, I think this is much more easily explained as "bad web design": https://dg-datenschutz.de/imprint/
rustc
The choices are driven by the extra revenue and will not change until mass enforcement. Some sites (mostly news) even have a "buy subscription" or "accept cookies" option which I thought was not allowed under GDPR.
reddalo
Spoiler: it's not allowed. But until they get huge fines, they will continue doing that.
pavlov
The wall of text is horrible UI, but at least there's a checkbox with an obvious label:
"Do not sell or share my personal information (CCPA/CPRA)."
Most other websites try to hide this fundamental choice from you behind dialogs and endless options. (And of course outside the EU you don't even get to control this, your data will always be collected and sold.)
iinnPP
It's not well known but Canada also has rules (for any company or agency covered by Federal privacy law) around respecting the users wishes and gaining meaningful consent.
And as someone who was successful in making such claim, it was a relatively easy process.
jokoon
I'm using materialistic on Android to scroll hn, and sometimes the article shows as black.
nottorp
And it's in German right?
hkwerf
At this time of day, I'd wager half of the users here are able to comprehend German texts. The other half knows how to use a translation tool.
nottorp
Funny you should say that... a friend sent me a page in german yesterday, helpfully linked directly through google translate so I can read it in a language i understand.
Unfortunately, the cookie dialog was missed by "the translation tool" and both accept and reject kinda look the same to me.
fsflover
Try to switch off js.
tpxl
Discussion from 1.5 years ago: https://news.ycombinator.com/item?id=36430280
notpushkin
> Google's invisible reCAPTCHA V3 simulation is now used on many websites around the world and no longer uses tests to check the humanity of users, but is based on behavioural analysis.
I had no idea. 90% of the time I’m getting the Please select all stairs bullshit. Another 5% is an outright block for “suspicious activity”. (I’m on Firefox, FWIW.)
vasco
That's 90% of the times you even see it :)
notpushkin
Fair enough! I was thinking about the checkbox variant, not the “invisible captcha”. But I have a feeling I’m still getting the task for that as well, most of the time.
mapt
Currently YouTube is blocked at work without a Google login, and Chrome keeps demanding and successfully convincing individuals operating shared PCs to stay logged in on a browser session indefinitely.
magicalhippo
> 90% of the time I’m getting the Please select all stairs bullshit.
Just yesterday it had me clicking all squares with motorcycles in it. I failed five consecutive times before it let me through.
Almost started to doubt myself.
metters
Is ProtonCaptcha [1] a good alternative to reCaptcha? I’m sure it is GDPR compliant but can anyone just use it?
notpushkin
I’d just selfhost a PoW captcha like https://mcaptcha.org/ – should be fine for most applications.
worble
Wow I had no idea this existed, thanks!
It's cool that it even allows you to to get past captchas with JS disabled, I like this a lot.
KronisLV
Thanks for linking this, it’s always nice to see self hosted options.
TekMol
The site says
"Das Vorhandensein von datenschutzfreundlicheren Optionen steht im Widerspruch zu einem berechtigten Interesse"
which means
"The existence of more privacy-friendly options contradicts a legitimate interest."
But did they really test if the alternatives block bots as well as reCaptcha?
If not, wouldn't that mean there is a legitimate interest in using reCaptcha?
If the mere existence of more privacy-friendly options, no matter how inferior, means you cannot use a certain service, wouldn't that make the use of pretty much every service illegal in the EU?
tpxl
A similar argument was tried with 'we sell all users data because otherwise we would not be able to run the service, thus we have a legitimate interest.' It did not fly there either.
A service does not have a right to exist. The user has a right to privacy. The users right to privacy trumps the services want to exist. Not to mention that, yeah, there are ways to get similar or better blocking for free, if you have some technical chops at least. I wouldn't fault a small blog for using googles captcha (although the need is questionable), but any company with at least a few employees should be able to figure this out at a relatively trivial cost.
Aerroon
>The users right to privacy trumps the services want to exist
The user can simply choose not to use the service?
s1mplicissimus
Data hoarding doesn't just hurt the individual, it's bad for everyone. The data-selling model will always have a strict competitive advantage against the good actors and so you as the user will end up with no options other than allowing that "legitimate" interest or not being able to access such a service. This has slight "people peeing in the community pool" vibes. Sure it may be "easier" for the individual doing it, but long term everyone just ends up with an unusable pool.
rustc
> there are ways to get similar or better blocking for free
How can you get better blocking for free?
BoujidStack
ReCAPTCHA’s privacy concerns are valid, but I wonder if alternatives like FriendlyCaptcha can offer the same bot protection while being GDPR compliant.
lyzml_AF
[dead]
nixass
[flagged]
roelschroeven
There's a massive difference between your personally identifiable information visible to people who physically pass by versus people all over the world + various automated tools.
Also you're making a difference between license plates and doorbell names where there is no difference; it's only muddying the waters. The only difference is: visible to people physically close by is ok, visible on internet is not ok.
lexicality
Germany... A place where you cannot publish a photo without permission from every person whose face is visible in it and yet people walk around with their faces uncovered all the time...
mmsc
False equivalence. Having your name on your own doorbell is a choice.
ben_w
Less so than you may expect. Lots of apartments around here, including my previous place — if my name wasn't on the building doorbell, post just wouldn't get delivered.
(Sometimes post still wasn't delivered, as somehow even DHL couldn't find a 100 year old building and kept going to a different building on an adjacent street…)
Snafuh
Germany also requires an imprint with name and address on any non-personal website. Non-Personal can basically mean anything beyond a purely personal blog without comments or anything.
This is a very shady website and thus not a good source for legal advice of any kind… they call themselves “Deutsche Gesellschaft für Datenschutz” (German society for data protection) but are actually located in Bulgaria. They are not any kind of “official” data protection organisation.